Exclusive first interview with key LulzSec hacker

Update: We now know that when "Sabu" – real name Hector Xavier Monsegur – gave the interview below to New Scientist, he was cooperating with the FBI to gather intelligence on Anonymous activities. Read more: "Was our interview with LulzSec hacker an FBI set-up?"

Original article, posted 4 July 2011

It was early May when LulzSec's profile skyrocketed after a hack on the giant Sony corporation. LulzSec's name comes from Lulz, a corruption of LOL, often denoting laughter at the victim of a prank. For 50 days until it disbanded, the group's unique blend of humour, taunting and unapologetic data theft made it notorious. But knowing whether LulzSec was all about the "lulz" or if it owed more to its roots as part of Anonymous – the umbrella group of internet subculture and digital activism – was pure speculation. Until now.

Who is "Sabu"?I'm a man who believes in human rights and exposing abuse and corruption. I generally care about people and their situations. I'm into politics and I try my best to stay on top of current events.

We've seen you cast as everything from the greatest of heroes to the most evil of villains. How would you characterise yourself?It is hard for me to see myself as either. I am not trying to be a martyr. I'm not some cape-wearing hero, nor am I some supervillain trying to bring down the good guys. I'm just doing what I know how to do, and that is counter abuse.

What was your first experience with "hacktivism"?I got involved about 11 years ago when the US navy was using Vieques Island in Puerto Rico as a bombing range for exercises. There were lots of protests going on and I got involved in supporting the Puerto Rican government by disrupting communications. This whole situation was the first of its kind for the island and the people didn't expect things to go that route. Eventually, the US navy left Vieques.

How did you get involved with Anonymous?When I found out about what happened to Julian Assange, his arrest in the UK and so on, I found it absolutely absurd. So I got involved with Anonymous at that point.

What operation really inspired you and why?Earlier this year, we got wind of the Tunisians' plight. Their government was blocking access to any website that reported anti-Tunisian information, including Tunileaks, the Tunisian version of Wikileaks, and any news sites discussing them.

Tunisians came to us telling us about their desire to resist. "Disrupt the government of Tunisia," they said, and we did. We infiltrated the prime minister's site and defaced it externally. When Tunisia filtered off its internet from the world, it was the Tunisians who came online using dial-up and literally allowed us to use their connections to tunnel through to re-deface the prime minister's websites. It was the most impressive thing I've seen: a revolution coinciding both physically and online. It was the first time I had proof that what Anonymous was doing was real and it was working.

What would you like to say to people who say that you and other Antisec/Anonymous/LulzSec members are just troublemakers who have caused untold damage and loss to people for no apparent reason?Would you rather your millions of emails, passwords, dox [personal information] and credit cards be exposed to the wild to be used by nefarious dealers of private information? Or would you rather have someone expose the hole and tell you your data was exploitable and that it's time to change your passwords? I'm sure we are seen as evil for exposing Sony and others, but at the end of the day, we motivated a giant to upgrade its security.

But what about hacks that were done "for lulz"?Yes, some hacks under LulzSec were done for the lulz, but there are lessons learned from them all. In 50 days, you saw how big and small companies were handling their user data incorrectly. You saw the US federal government vulnerable to security issues that could have just as easily been exploited by foreign governments. You saw affiliates of the US government handling sensitive emails and they themselves ignored the FBI's better practice manuals about password re-use.

With the Public Broadcasting Service site, you saw the media vulnerable to fake articles. And yes, our Frontline hit [the group attacked the PBS's Frontline television programme website after perceived unfair treatment of Wikileaks] was political, but we also showed what could happen if an organisation were to hack 50 of the biggest media publications right now, online, and distribute a mass news article designed to blend in on each outlet's site. That kind of thing would cause some serious havoc. I mean, we're talking about the potential of crashing stocks or spreading damaging rumours. Everything we did had a duality: a lesson and some LOLs at the same time.

If you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.

A screen grab of the PBS website, showing how it looked following LulzSec's hack-attack (Image: AP Photo)